Permalink
Browse files

Extra security measure for Cooker.

  • Loading branch information...
1 parent d51b876 commit ef4d846836694be4608c68fa9e7ab79a8fd5abd3 @gabordemooij committed Nov 29, 2012
Showing with 40 additions and 2 deletions.
  1. +24 −2 RedBean/Plugin/Cooker.php
  2. +16 −0 testing/RedUNIT/Plugin/Graph.php
View
@@ -20,6 +20,12 @@
*/
class RedBean_Plugin_Cooker implements RedBean_Plugin {
+ /**
+ * Flag, determines whether it's possible to load beans with graph().
+ * @var boolean
+ */
+ private static $loadBeans = false;
+
/**
* This flag indicates whether empty strings in beans will be
* interpreted as NULL or not. TRUE means Yes, will be converted to NULL,
@@ -28,6 +34,17 @@ class RedBean_Plugin_Cooker implements RedBean_Plugin {
*/
private static $useNULLForEmptyString = false;
+ /**
+ * If you enable bean loading graph will load beans if there is an ID in the array.
+ * This is very powerful but can also cause security issues if a user knows how to
+ * manipulate beans and there is no model based ID validation.
+ *
+ * @param boolean $yesNo
+ */
+ public static function enableBeanLoading($yesNo) {
+ self::$loadBeans = ($yesNo);
+ }
+
/**
* Sets the toolbox to be used by graph()
*
@@ -83,8 +100,13 @@ public function graph( $array, $filterEmpty = false ) {
unset($array['type']);
//Do we need to load the bean?
if (isset($array['id'])) {
- $id = (int) $array['id'];
- $bean = $this->redbean->load($type,$id);
+ if (self::$loadBeans) {
+ $id = (int) $array['id'];
+ $bean = $this->redbean->load($type,$id);
+ }
+ else {
+ throw new RedBean_Exception_Security('Attempt to load a bean in Cooker. Use enableBeanLoading to override but please read security notices first.');
+ }
}
else {
$bean = $this->redbean->dispense($type);
@@ -24,6 +24,7 @@ class RedUNIT_Plugin_Graph extends RedUNIT_Plugin {
*/
public function run() {
R::nuke();
+ RedBean_Plugin_Cooker::enableBeanLoading(true);
R::dependencies(array());
global $currentDriver;
global $lifeCycle;
@@ -442,6 +443,21 @@ public function run() {
array('type'=>'coupon','id'=>$couponID)
)
);
+ RedBean_Plugin_Cooker::enableBeanLoading(false);
+
+ $exc = false;
+ try{
+ $order = R::graph($form);
+ fail();
+ }
+ catch(Exception $e) {
+ $exc = $e;
+ }
+
+ asrt(($exc instanceof RedBean_Exception_Security),true);
+
+ RedBean_Plugin_Cooker::enableBeanLoading(true);
+
$order = R::graph($form);
asrt($order->getMeta('type'),'order');
asrt(count($order->ownProduct),1);

0 comments on commit ef4d846

Please sign in to comment.